E-mail and other messaging technologies have, in many cases,
replaced both the telephone and postal mail for business communications — and
with good reason. Once you have the infrastructure in place (Internet
connection, mail servers or ISP), it’s less expensive than either making long
distance calls or sending paper documents (especially if they need to get there
quickly). It’s faster than snail mail but less intrusive than a phone call, and
creates a record of the content that you don’t have when using the phone. It
can be more secure than other means of communication if encryption is used.

Because we’ve come to depend so heavily on e-mail, however, and
because it’s used so often and often so casually, it can present a weak spot in
our corporate security plans. Attackers and spammers
can use e-mail to get things into the network that aren’t
wanted, from advertising that wastes time and productivity to viruses that can
crash systems or cause loss of important data. Internal users can, deliberately
or inadvertently, “leak” confidential company information via e-mail. And hackers
can intercept mail and learn company or client secrets.

Tips in your inbox

TechRepublic’s free Strategies that Scale newsletter, delivered each Tuesday, covers topics such as how to structure purchasing, when to outsource, negotiating software licensing or SLAs, and budgeting for growth.

Automatically sign up today!

Why you need an e-mail security plan

Even when your company is small and you don’t have any
million-dollar trade secrets, protecting the integrity of e-mail sent to and
from your internal network is important. Viruses and malware
don’t discriminate based on size, and an infection can easily spread to
everyone in your company and then to everyone outside the company who’s in your
employees’ address books.

If you’re in a regulated industry, your electronic
communications may be governed by HIPAA, Sarbanes-Oxley
(SOX) or other compliance requirements that mandate privacy of certain
information. Even if you’re not, your company probably creates intellectual
property of some sort, and developing an e-mail security policy early on will
head off many problems in the future.

Another risk is that risqué content can put the company in a
position of legal liability if offensive material is construed to create a
“hostile work environment.” E-mail security mechanisms that filter out
potentially offensive materials help protect against Title VII sexual harassment
lawsuits based on the hostile workplace concept.

Developing an e-mail security plan

To be effective, your e-mail security plan must consist of
two parts: policy and enforcement. Your policy should spell out what is and is
not allowed in terms of incoming and outbound messages and what constitutes
abuse of the company’s e-mail system. Enforcement includes technological
mechanisms (filtering) and/or monitoring.

Courts have generally held that an employer has the right to
set rules controlling what employees can and can’t do with the company’s
equipment and infrastructure, and that employers also have the right to monitor
usage for compliance with their rules. It is best practice to notify employees
that their e-mail will or may be monitored and to have them sign a statement
confirming that they have been so notified and agree to the usage guidelines
and monitoring as a condition of employment. As the company grows, it becomes
more important to put this writing.

Your e-mail security plan should address the following
issues:

  • Spam/advertising
    control
  • Virus
    detection and prevention
  • Content
    rules
  • Encryption
    for sensitive messages

In a small company, you may be able to use host-based
security software installed on individual computers to secure e-mail. As the
company and network grow, this becomes cumbersome and difficult to manage. You
can save the cost and effort of reconfiguration by starting from the beginning
with perimeter or server-based security. This will also prevent performance slowdowns
of your workstations caused by host-based filtering.

Enterprise
level messaging security

Large companies have two options when it comes to securing
their messaging infrastructures. One is to do it yourself, in house. Add-on
programs for your firewalls and server-based enterprise level programs such as Sunbelt
Software’s IHateSpam for Exchange, GFI’s
MailSecurity,
SurfControl,
Dynacom’si:mail, and other third party products can
protect against unwanted commercial e-mail, filter content, and protect against
viruses, Trojans, scripts, and blended attacks. Filtering can be implemented at
a standalone SMTP gateway or as a plug-in for your mail server software.

The second option is to use a messaging security service to
handle your email. These managed services filter incoming mail before it ever
even enters your network. This means not only is workstation performance
unaffected, there is also no load put on your network bandwidth to bring the
unwanted mail into the network, nor on your mail servers to process filtering
rules.

Managed email security services include Microsoft’s FrontBridge, Postini’s
integrated message management, IBM’s
E-mail Security Management and others. These services can handle very large
volumes of e-mail and thus are easily scalable as your business and e-mail
usage grows.

Monitoring messaging usage

Some of the content filtering programs mentioned above can
be set to block content based on key words or phrases. Monitoring software such
as Spector CNE
can not only detect the key words you specify, but can also record e-mail
messages (both sent and received) and save them to a central location, as well
as logging the content of IM and chat conversations. You can configure the
monitoring software to send an alert to an administrator whenever your
specified key words are detected.

Sophisticated filtering software used by services can even
analyze the content of graphics files and block or trigger an alert if
suspicious photos are found.

Protecting sensitive messages

By default, e-mail messages have no real privacy; they’re
more like postcards than sealed letters because they can easily be read by
server administrators or even hackers who use packet sniffers
to capture data as it travels across the network. Encryption “seals the
envelope” so that messages can only be read by the intended recipient.

There are many e-mail encryption solutions available, most
of which are based on public/private key pairs. Users need to enroll in a
Public Key Infrastructure and obtain a certificate from a certification
authority. Server-to-server level encryption and password protection are other
options. Some managed email services also provide encryption services. For
example, FrontBridge offers a secure email option
that uses identity based encryption technology that uses the user’s email
address as the public key and automatically binds the user’s identity to that
key, so that it’s not necessary to go through the process of obtaining
certificates.

Selecting the right solution

As always, you should consider future growth and scalability
from the very beginning when you choose an e-mail security solution. Methods
that work well for small networks, such as host-based junk mail and virus
filtering or user-managed PGP encryption for messages, may not work so well with
a larger network. A managed service can be a cost effective and scalable
solution because you don’t have to invest in extra hardware or software, you
don’t have to worry about administrative overhead, and the most popular
services are set up to handle both small and large volumes of messages.